> alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned
> root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)
this rules will flag any packet, from any port to any port that contains
the magic string 'uid=0(root)'.
> So it's the "any any" "any any" that's the problem.
depends a lot on your system. I would almost consider removing
the rule, or at least log it silent (no alerts, just log the packet
in case you want to look at it later).
> So I should have "$HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any" --
no. thats probably not good. There are two intentions for this rule:
- notify you if someone just made it into your system
- notify you if someone from your network just hacked somebodies system.
so port 80 (HTTP_PORTS) is just one of the ports this rule may apply
too. I think, depending on the scenario you are concerned about, limit
the direction to '$HOME', '$HTTP_SERVERS' or '! $HOME'.
--
---------------------------------------------------------------
jullrich at sans.org Collaborative Intrusion Detection
join http://www.dshield.org